Yesterday, I also installed Secure Login Client, but i see one entry Kerberos Token and one for Microsoft Certificate Store (certificate expired), how this has to be taken care for choosing deafult SAP Login.

In earlier document, we saw Secure login server Entry as default but we do not have Secure Login Server.

In order to enable SNC you need to configure the SNC instance profile parameter (transaction RZ10). Please keep in mind the parameter snc/identity/as defines the distinguished name (certificate name of the SAP AS ABAP Server for SNC).So if you already have a SNC certificate, please define the correct name here.

The background is, that the tool STRUST will verify this parameter (certificate Name) before it will import the certificate.

How-To import X.509 certificate for SNC

Start transaction STRUSTYou should see a list of entries here like:If you only see System PSE --> SAPCRYPTOLIB is not installed correctly.

Choose in menu PSE --> Import and choose your *.pse file (SAP AS ABAP SNC certificate). Maybe you will be asked for the password (the *.pse file is protected).

Choose in menue PSE --> Save as and choose SNC SAPCryptolibPlease keep in mind the certificate name will be checked against the information of the instance profile parameter snc/identity/as

This PSE.ZIP file is a security token container (and not a X.509 certificate).

If You are using Kerberos for client-to-server SSO the Kerberos keyTab will be add to this security token container. I assume you use the command: snc crtkeytab -s SAP/Kerberos<SID>@<DOMAIN> -p <Password>to add a keyTab).

If you now want to establish in parallel a server-to-server secure communication using X.509 certificates, you can use STRUST application to create X.509 self-signed certificates.

I am not clear with your statement on "Kerberos technology will be used for SAP GUI --> AS ABAP, while X.509 certificates will be used for AS ABAP --> AS ABAP"

a)X.509 certificates can be used for GUI --> AS ABAP SSO as well?

b)The SLL guide says to "import" a pse while setting up SNC for X.509. But how do you create that pse is not clearly mentioned - commands etc. (As you mentioned pse.zip is not a pse in itself)

c) What must i add into that pse before importing it via STRUST? The server public key certificate and the root CA certificate? If so , the root CA certificate must match the issuer of the root certificate that issues the user pc certificates also?

d) Or would it be ok to create any self signed cerficate into the SNC pse on the server as long as the root CA certificated is added into the list of "trusted certificates" of the SNC pse

We have an established PKI within our company and would like to use the user certificates without the need to install a SLS to generate out-of-the-box PKI.

Frane: Sure this is possible. In my answer i mention to the use case scenario of Deepak's environment.

b)The SLL guide says to "import" a pse while setting up SNC for X.509. But how do you create that pse is not clearly mentioned - commands etc. (As you mentioned pse.zip is not a pse in itself)

Frane: You can create self-signed certificates or you can use Secure Login Server which is a part of the SAP NetWeaver Single Sign-On solution.

c) What must i add into that pse before importing it via STRUST? The server public key certificate and the root CA certificate? If so , the root CA certificate must match the issuer of the root certificate that issues the user pc certificates also?

The current ABAP program "CL_LSO_CE_UTIL================CP" had to be terminated because it has come across a statement that unfortunately cannot be executed.

Error analysis A table is referred to in an SAP Open SQL statement that either does not exist or is unknown to the ABAP Data Dictionary. The table involved is "T529U " or another table accessed in the statement.

I think you are using the Server's SNC name as your SNC name when you are entering it in SU01 transaction. The SNC name when entering into SU01 will be the kerberos name which is generated and displayed in your Secure Login Client.

I think you need to change this as explained above. The Server SNC name which is given under snc/identity/as will always be different than the user's SNC name

as far as I understand you will implement SAP NW Single Sign-On with using the Active Directory Authentication (Kerberos) of the users. Are my assumption correct?

In this case you do not need STRUST, you do not need the SAPCryptoLib and you do not need to deal with certificates on the ABAP server.

In the Secure Login Library Guide are the steps described, how-to configure the AS ABAP to accept the Kerberos Tickets of the users. All you need is to place the Secure Login Library in the folder \sll\, set the instance profile parameter and using the command line utility \sll\snc

I can provide you more support here, if you want. First of all I need to know, whether you will setup SSO with Active Directory Authentication (Kerberos)

I can see, what went wrong. Your Kerberos keyTab name is "SAP/KerberosSID@hostname". This is the placeholder into the documentation. You has to use a real account into your real Active Directory.

Do the following steps:

Ask you Active Directory administrator to create a new useraccount (a service/technical user) into the same domain, where all you SAP users are located. If your domain is firma.local, then you need a useraccount for the SAP Server into the domain firma.local. The name of the useraccount does not matter. The example of SAP is to use Kerberos<SID of your AS ABAP> as name. The password of the new useraccount must not expire. You will receive from your Active Directory administrator a username and a password. Let us say, the username is "KerberosQHR" and the password is "123456"

The next step is, that your Active Directory administrator enter add the Kerberos Service Prinicpal name to the useraccount. He can user the Active Directory tool adsiedit.msc

if you are using the wrong password with the command snc crtkeytab -s <Name> -p <password> you will not receive an error message. The password will not be validated. It is stored locally into the keyTab file.

The SAP Users must be in the same domain in which you did generate the Service Account for your ABAP Server. e.g. if the users are into the domain firma.local, then the Service Account for the ABAP Server needs to be generated into the domain firma.local.

For user authentication the keyTab is used. The SAP Systems itself or the machine needs not to be into an Active Directory domain.

We updated our setspn command to register SPN in AD.And also we created snc crtkeytab entries using server name in UPPER CASE.

Now we can login into SAP System using Kerberos Authentication using Secure Login Client w/o user id and password inputs.

But, we have one more query when we uninstall our Secure Login Client form our workstation our SNC also doed not work.What we did is that we uninstalled the Loigin client but in SAPGUI the SNC entry is activated.When we login into SAP System its gives out error saying "SncPDL()==SNCERR_INIT unable to load GSS-API DLL named " C:/Prohram Files\SAP\Frontend\SecureLogin\lib\secgss.dll"

Error in SNC.

But what I understand is that SNC is just used for secure network with backend system, so when we enable SNC and we know User id and password , we should be able to login into SAP System.